About Me

Reputability are thought leaders in the field of reputational risk and its root causes, behavioural risk and organisational risk. Our book 'Rethinking Reputational Risk' received excellent reviews: see www.rethinkingreputationalrisk.com. Anthony Fitzsimmons, one of its authors, is an authority and accomplished speaker on reputational risks and their drivers.
Reputability helps business leaders to find these widespread but hidden risks that regularly cause reputational disasters. We also teach leaders and risk teams about these risks.
Here are our thoughts, and the thoughts of our guest bloggers, on some recent stories which have captured our attention. We are always interested to know what you think too.

Friday, 12 May 2017

According to the Financial Times, the virus was a weaponised development of the US National Security Agency's 'Eternal Blue' tool, part of a "highly classified NSA arsenal of digital weapons leaked online last year by a group called the Shadowbrokers".

WanaCrypt0r seems to have been distributed by the common route of an attachment to emails which were opened by numerous recipients who did not identify the attachments as suspicious.

"Many NHS trusts still use Windows XP, a version of Microsoft’s operating
system that has not received publicly available security updates for
half a decade, and even well-patched operating systems cannot help users
who are tricked into running software deliberately."

"Michael Fallon [was] forced to defend the Government's decision not
to fund crucial updates for NHS computer systems, leaving them
vulnerable to a global cyber attack which caused chaos at hospitals
across the country."

"Repeatedly, exploits in the hands of
governments have leaked into the public domain and caused widespread
damage. An equivalent scenario with conventional weapons would be the
U.S. military having some of its Tomahawk missiles stolen. And this most
recent attack represents a completely unintended but disconcerting link
between the two most serious forms of cybersecurity threats in the
world today – nation-state action and organized criminal action."

According to Keren Elazari, the sectors where unsupported software systems are most prevalent are those where safety matters:

"healthcare, energy and transport; as well as finance and other
industries where computer systems provide the foundations for modern
functionality."

The obvious answer is cost-cutting by people who do not understand the consequences, in this case the risks of running out-dated, unsupported operating systems. This now seems to include a Government minister who did not listen to advice on a subject he did not understand.

If so this is a classic case of cost-cutting to produce a short term gain at the cost of a systemic weakness that goes on to cause great pain when the risk eventually manifests. Cost-cutting in ignorance of the consequences is a risk that typically emanates from the highest levels of leadership anbd it regularly causes failures.

“An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.”

No organisation can guarantee the security of valuable tools such as these against a determined external attacker or internal leaker. These risks will always be greater than zero.

If surveillance and cyber-warfare tools escape into the hands of criminals or hostile state actors, the potential for harm will broadly be in proportion to the versatility of the tools and the creativity and motivation of users. There can be no doubt that a determined, skilled and motivated group of hackers could design an event to cause great harm and outrage, just as Al Quaeda did with its carefully designed and planned "9/11" attack on the USA. These are perfect weapons for the weak.

Given that there is a finite risk of cyber-warfare tools 'escaping', the question is whether intelligence agencies, and the politicians who ultimately control them, have considered the risks and consequences of the tools they develop being turned against their own countries and allies. Even if the probability of theft of the tools is thought very low, a foolhardy assumption, the potential for harm to the public is unknowably great.

This is yet another example of the risks of balancing short term gains against the long term consequences of systemic weaknesses. The problem with this balancing act is that it is rarely possible to quantify the consequences of systemic weaknesses, especially where deliberately caused harm is involved. History shows that it is easy to overlook or underestimate them. The problem is exacerbated by leaders' tendency to give more weight to imminent than to distant consequences.

As to the security services, the likelihood is that current cyber attack will come to be seen as small beer. When that happens, the reputation, and licence to operate, of the security agency concerned whose software has been turned against its own state or a friendly state, will be balanced on a knife edge. Other security agencies will be at risk of collateral damage.

As to the NHS, a series of scandals of incompetence, catalogued by Richard Bacon in his book "Conundrum", has left the NHS and its leaders with a poor reputation for competence when it comes to IT. If it eventually emerges that the NHS IT system had weaknesses that left it vulnerable to this attack, its reputation for competence will be damaged further. Evidence emerging suggests that it will also leave the reputation of the minister who cancelled the IT support contract in tatters.